Russell Wangersky: Convenience vs. security in the internet of things

It’s a little like hiring a doorman without ever doing a criminal reference check or getting a certificate of conduct: you might be getting more than you bargain for.

Last week, a conference in London was told that bringing the smallest kind of technology from the internet of things could bring with it a world of hurt.

First, about the internet of things. That’s the term given to everyday devices that are hooked up to the internet to stream information — and there are a lot of things that do just that. Household appliances, electronic monitoring systems, remote-activation thermostats, computer modems and even home-assistance devices like Amazon’s Alexa and Echo technology: it’s a list that keeps growing in the quest to do every single thing without ever having to lift your butt out of your personalized dent in the couch. (I’m troubled enough that, whenever the internet is on the fritz, a technician with the cable company can finger his way with no trouble into the modem inside our house. And I mentioned my personal concerns a few weeks ago about having an open microphone, like Alexa or Ask Siri, turned on full time in someone’s house.)

Turns out, convenience can have a price.

A casino was hacked, a list of its high-roller clients lifted, and all that hacking was done through a web-enabled thermometer located in an aquarium in the casino’s lobby.

Business Insider, reporting on the security conference, quoted the CEO of web security firm Darktrace, Nicole Eagan, as saying, “The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud.”

Other panelists agreed that the danger is growing.

“With the internet of things producing thousands of new devices shoved onto the internet over the next few years, that’s going to be an increasing problem,” Robert Hannigan, a former top electronic intelligence officer in Britain, told the conference. “I saw a bank that had been hacked through its CCTV cameras because these devices are bought purely on cost.”

And it can be the littlest of things that’s talking online. Think about this: two years ago, a dental insurer in the United States started a lower-fee insurance business that included free internet-enabled electric toothbrushes — toothbrushes that supplied the insurer with information about how long its customers were brushing.

Now, I'm not saying that convenience is necessarily a bad thing — nor am I saying that we’re all immediate targets for high-level internet theft. Needless to say, we don’t have the same sorts of valuables lying around as banks or casinos. What I’m saying is that there have to be meaningful security controls on how much data can leave your house, and what kind of control you should be able to exercise over that data yourself. You can leave your curtains open while you’re changing if you want, sharing all kinds of personal information with the neighbourhood — but that has to be your choice.

That’s something Hannigan also argues — specifically citing as part of the growing security risk that people even bring their home devices, like Alexa, to the office.

“It’s probably one area where there’ll likely need to be regulation for minimum security standards because the market isn’t going to correct itself,” he told the conference. “The problem is these devices still work. The fish tank or the CCTV camera still work.”

Like the doorman whose reference you decided not to check, your home or office may be your fortress, but the internet of things can be an unexpected way inside.

Russell Wangersky’s column appears in 39 SaltWire newspapers and websites in Atlantic Canada. He can be reached at russell.wangersky@thetelegram.com — Twitter: @wangersky.